The NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, published June 2015 (updated January 2016), focuses on information shared by federal agencies with non-federal entities. With its implementation deadline, 31 December 2017, looming, governmental contractors and sub-contractors are running out of time to update their policies and reach compliance.
What is NIST 800-171 and who does it apply to?
Issued by the National Institute of Standards and Technology(NIST), the publication works as a guide for federal agencies to guarantee that Controlled Unclassified Information(CUI) is protected when processed, stored and used in non-federal information systems. This sort of data is often shared by the federal government with institutions and organizations that carry out the work of federal agencies.
Executive Order 13556, issued by the White House in 2010, gave Controlled Unclassified Information (CUI), that previously had various interpretations, a single definition for all federal agencies. It was created by the National Archives and gathered in the Controlled Unclassified Information (CUI) Registry. CUI can generally be described as information that is not in the classified category. The term appeared out of the need for federal agencies to address the large amount of unclassified information processed by vendors and service providers as they are required to do under FISMA.
The 109 controls set out in NIST 800-171 are tailored on NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations and aim to protect CUI in nonfederal information systems from unauthorized disclosure. They are separated into 14 families of security requirements, ranging from access control and auditing to personnel security and system and communications protection.
In many cases, other federal laws or regulations such as FISMA might address how data must be protected. In instances where there is no specific law that addresses how CUI received from the federal government must be protected, NIST 800-171 will be applied. As of 31 December 2017, nonfederal entities will have to provide documentation and evidence to the federal government as to how they are protecting CUI.
How can DLP help?
Data Loss Prevention tools, such as Endpoint Protector, can contribute to overall NIST 800-171 compliance through a number of points. Device control features for example allow admins to lockdown, control and monitor portable storage devices connected to computers as well as peripheral ports. They can implement strong device use policies that will scan data transfers to portable storage devices or block their usage in order to protect sensitive data from exposure.
USB encryption, another popular DLP offering, ensures that all data transferred to USB storage devices is automatically encrypted and so cannot be accessed in case a device is lost or stolen. In this way, users can safely transfer confidential data and access it only on authorized computers via a secured password. Admins can also remotely send messages to users and change passwords in case they are forgotten or misplaced.
Content Aware features increase visibility of sensitive data leaving computers and endpoints in a network, giving companies detailed control over it. Through close content inspection, transfers of important company documents can be logged and reported as well as blocked based on predefined company policies.
It is also possible to scan sensitive data at rest, stored on employees’ computers, based on specific file types, predefined content, file name, Regular Expressions or compliance profiles such as NIST 800-171. Based on the scan results, remediation actions can be taken like encrypting or deleting data remotely to avoid any compliance breaches.
Data protection is not a new concern in the IT market, but with new regulations springing up in both the US and Europe, it’s becoming increasingly obvious that, what was once a cautionary choice is becoming a mandatory one. Solutions for Data Loss Prevention(DLP), Network Access Control (NAC), Antivirus, Information Rights Management (IRM) etc. have become essential tools for companies looking to upgrade their data protection standards and align them with new legislation and the situation is no different in the case of NIST 800-171.
Frequently Asked Questions
NIST 800-171 sets security requirements in 14 different categories for protecting the confidentiality of CUI and explaining compliance requirements. These can be summed up in two broad ones – administrative and technical. The security requirements include: access control, awareness training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity.
- Identify, locate and categorize Controlled Unclassified Information (CUI)
- Implement required controls and monitor data
- Train employees
- Valuate systems and processes
Implementing the NIST 800-171 controls bring several benefits, including:
- a secure foundation for information processing and a scalable security approach to sensitive data protection
- a standardized way to handle CUI and a common framework for risk management
- Train employees
- reduced risks of insider threats and data breaches.
Data Loss Prevention (DLP) solutions are security tools that help organizations to ensure that sensitive business information does not get outside the corporate network or to a user without access. With DLP software, companies can defend against data theft, loss, and exfiltration as well as make a difference in the process of data protection. By implementing one, it becomes possible to better identify, manage, and protect valuable business information and assets.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.